Click here to view a PDF version of this article.
The practice of scanning driver’s licences began about 10 years ago and became popular in clubs because it sped up the entry of temporary members into the premises of clubs and provided an additional form of identification in case there were legal issues, most recently related to money-laundering but also other illegal conduct. However, there has always been a tension between the use of ID scanners (including the use and retention of information captured by their use) and the Privacy Act 1988 (Cth) (Privacy Act).
To explain the tension for clubs, the obligations with regard to temporary members provides a good example. Section 31(1) of the Registered Clubs Act 1976 (NSW) (RCA) requires a club to keep a register of all temporary members. The club’s register must record the full name (or surname and initials) and the address of each temporary member and, in the case of paragraphs (e) and (f) of section 31(1), the signature of the temporary member. A driver’s licence provides all of that information, which is why scanning the driver’s licence is so convenient. However, a driver’s licence provides more than just the information which a club is required to keep under the RCA in relation to a temporary member.
Businesses covered by the Privacy Act can only collect personal information (other than sensitive information) if the information is reasonably necessary for the business to carry out one or more of its functions and activities and it is collected by lawful and fair means. They must also take reasonable steps to ensure that any personal information they hold is protected from misuse and unauthorised access or disclosure and that information is destroyed when it is no longer required.
Additional rules also apply under the Privacy Act for government related identifiers” such as driver’s licence numbers. The Privacy Act prohibits adopting, using, or disclosing those numbers except if required by law or it is necessary or verify identity or another limited exception applies under the Act.
On a practical level, much of the information on a driver’s licence is not necessary for a club to carry out its obligations under the RCA in respect to temporary members. For example, the obligations under the RCA do not require a club to record or retain licence numbers, card numbers or photographs taken from driver’s licences.
On the other hand, clubs also have obligations under the Anti‑Money Laundering and Counter‑Terrorism Financing Rules Instrument 2007 (AML Rules), which require a club to verify a customer’s identity using a primary photographic identification document (such as a driver’s licence or passport). Like compliance with the RCA, ID scanners provide clubs with an easy option to discharge these obligations. But it is important to understand that the club’s statutory obligations under the AML Rules only apply to the extent that the Club provides “designated services”, i.e., gaming services. Similarly, a club’s obligation to record the information required under r 107 of the Gaming Machines Regulation 2019 (NSW) (GMR) will only apply to certain patrons. That is, these verification and record keeping obligations will not apply to a person who has only visited the Club to, for example, dine at the bistro.
Furthermore, the minimum verification requirements under the AML Rules do not require a club to retain a copy of the primary photographic identification document relied upon. For example, a club can discharge the minimum verification obligations under the AML Rules by sighting a driver’s licence and recording the individual’s name and residential address (or name and date of birth). There is no statutory obligation to take a copy of the identification document itself. These minimum verification requirements may increase if the level of risk of money laundering or counter-terrorism is assessed as medium or high.
So, can you use ID scanners?
The short answer is yes. But, it is not sufficient to simply scan ID documents of all patrons and keep a copy of all the information contained on those documents. The law does not require or permit clubs to do that. Instead, at a minimum, scanners should be configured to ensure that all personal information which is not necessary for the club to carry out its functions is not captured and stored. Clubs should avoid storing photo IDs and drivers licence numbers except in the limited circumstances where it is required under the GMR and when it is determined (after a careful risk assessment) that this is the best way to comply with AML Rules and provided that the club’s practices are supported by a well publicised privacy policy and effective data security protocols.
Further Information and Contact Details
Should you wish to discuss any aspect of this Newsletter or want any legal advice about these matters, please contact any member of the Clubs team on 8251 7777 or by email:
Bruce Gotterson: | b.gotterson@pigott.com.au |
Ray Travers: | r.travers@pigott.com.au |
Tony Johnston: | t.johnston@pigott.com.au |
John Ralston: | j.ralston@pigott.com.au |
Michael McCluskey: | m.mccluskey@pigott.com.au |
Julian Hawkins: | j.hawkins@pigott.com.au |
This publication is produced by Pigott Stinson. It is intended to provide general information only. The contents of this publication do not constitute legal advice and should not be relied upon as legal advice. Formal legal advice should be sought from us in respect of the matters set out in this publication. Liability limited by a scheme approved under Professional Standards Legislation.